Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Creative-Solutions Creative Contact Form allows Stored XSS. This issue affects Creative Contact Form: from n/a through 1.0.0.
AnalysisAI
CVE-2025-52794 is a Cross-Site Request Forgery (CSRF) vulnerability in Creative-Solutions Creative Contact Form (versions up to 1.0.0) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads through contact form submissions, affecting any user who views the contaminated form data. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low attack complexity, making it readily exploitable in typical web deployments.
Technical ContextAI
This vulnerability combines two distinct attack classes: CSRF (CWE-352) as the primary vector and Stored XSS as the impact. The Creative Contact Form plugin lacks CSRF token validation (anti-CSRF mechanisms) on form submission endpoints, allowing attackers to craft state-changing requests without user authorization. The absence of output encoding or input sanitization permits injected JavaScript to persist in the application's database or session handling, executing in the context of subsequent users' browsers. This affects the Creative-Solutions product line, specifically the Creative Contact Form component versions 1.0.0 and earlier. The vulnerability likely resides in the form processing handler that accepts user input without adequate CSRF protection (missing SameSite cookie attributes, CSRF tokens, or origin validation) and fails to sanitize output when rendering stored contact form data.
RemediationAI
Immediate actions: (1) Disable or remove Creative Contact Form plugin if not actively required; (2) Restrict access to contact form pages via WAF rules or IP allowlisting if feasible; (3) Implement Content Security Policy (CSP) headers to mitigate Stored XSS execution. Patch actions: (1) Monitor Creative-Solutions official advisory/changelog for patched versions > 1.0.0; (2) Apply vendor patch immediately upon release; (3) If no patch is available, implement manual code hardening: add CSRF token validation using industry-standard libraries (e.g., OWASP CSRF Guard), sanitize all form output with HTML entity encoding or a whitelist-based HTML filter (e.g., HTML Purifier). Workarounds: (1) Implement server-side input validation and output encoding; (2) Apply CSP headers with script-src 'self' to block inline/external script injection; (3) Use HTTPOnly and Secure flags on session cookies, combined with SameSite=Strict attribute to limit CSRF impact. Monitoring: Enable logging and alerting on form submission patterns and stored XSS signatures in form data fields.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-28469